On September 22, 2021, Secretary of Homeland Security Alejandro N. Mayorkas and Secretary of Commerce Gina Raimondo released a joint statement on the Department of Homeland Security’s (“DHS’s”) issuance of preliminary Critical Infrastructure Control Systems Cybersecurity Performance Goals and Objectives (the “Preliminary Goals”). As we previously reported, on July 28, 2021, the Biden Administration signed a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (the “Memo”), which instructed DHS to lead the development of cybersecurity performance goals for critical infrastructure firms. The Memo described the initiative as “a voluntary, collaborative effort between the Federal Government and the critical infrastructure community to significantly improve the cybersecurity of these critical systems.”
The Preliminary Goals, developed in conjunction with the Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology (“NIST”), identify nine overarching control system cybersecurity performance goals, each containing specific objectives to support the deployment and operation of secure control systems. The Preliminary Goals identify baseline objectives, which are recommended for all control system operators, and enhanced objectives, which are geared toward national defense and critical lifeline infrastructure (e.g., energy, communications, transportation and water).
The categories of the Preliminary Goals are as follows:
- Risk Management and Cybersecurity Governance – covering the identification and documentation of cybersecurity risks to control systems using recommended practices (g., NIST and ISA/IEC frameworks) and the provision of dedicated resources to address cybersecurity risks;
- Architecture and Design – covering the integration of cybersecurity and resilience into system architecture design in accordance with established, recommended practices for segmentation, zoning and isolating critical systems, to be updated annually with lessons learned (including from industry and federal recommendations), as appropriate;
- Configuration and Change Management – covering documentation and control of hardware and software inventories, system settings, configurations and network traffic flows throughout control system hardware and software lifecycles;
- Physical Security – covering limiting physical access to systems, facilities, equipment and other assets (including those in transit) to authorized users, as well as securing these areas against risks from the physical environment;
- System and Data Integrity, Availability and Confidentiality – covering the protection of a control system and its data against corruption, compromise or loss;
- Continuous Monitoring and Vulnerability Management – covering implementation and performance of continuous monitoring of control systems for cybersecurity threats and vulnerabilities;
- Training and Awareness – covering the training of personnel in fundamental knowledge and skills for recognizing control system cybersecurity risks and understanding their roles and responsibilities within established cybersecurity policies, procedures and practices;
- Incident Response and Recovery – covering the implementation and testing of control system response and recovery plans with clearly defined roles and responsibilities; and
- Supply Chain Risk Management – covering the identification of risks associated with control system hardware, software and managed services, as well as implementation of policies and procedures for effective supply chain risk management consistent with best practices (e.g., from NIST) to prevent the exploitation of systems.
According to the DHS, the Preliminary Goals will be finalized in the coming months as the agency conducts more extensive engagement with stakeholders.